From 626bf7341a031f93c94f55cdf5038b5611903545 Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Wed, 28 Jan 2026 15:09:57 +0100 Subject: [PATCH] 6.12-stable patches added patches: net-introduce-skb_copy_datagram_from_iter_full.patch vhost-vsock-allocate-nonlinear-skbs-for-handling-large-receive-buffers.patch vsock-virtio-allocate-nonlinear-skbs-for-handling-large-transmit-buffers.patch vsock-virtio-fix-message-iterator-handling-on-transmit-path.patch vsock-virtio-move-length-check-to-callers-of-virtio_vsock_skb_rx_put.patch vsock-virtio-move-skb-allocation-lower-bound-check-to-callers.patch vsock-virtio-rename-virtio_vsock_alloc_skb.patch vsock-virtio-rename-virtio_vsock_skb_rx_put.patch --- ...uce-skb_copy_datagram_from_iter_full.patch | 67 ++++++++++ queue-6.12/series | 8 ++ ...s-for-handling-large-receive-buffers.patch | 116 ++++++++++++++++++ ...-for-handling-large-transmit-buffers.patch | 56 +++++++++ ...e-iterator-handling-on-transmit-path.patch | 77 ++++++++++++ ...o-callers-of-virtio_vsock_skb_rx_put.patch | 82 +++++++++++++ ...ocation-lower-bound-check-to-callers.patch | 56 +++++++++ ...virtio-rename-virtio_vsock_alloc_skb.patch | 77 ++++++++++++ ...irtio-rename-virtio_vsock_skb_rx_put.patch | 63 ++++++++++ 9 files changed, 602 insertions(+) create mode 100644 queue-6.12/net-introduce-skb_copy_datagram_from_iter_full.patch create mode 100644 queue-6.12/vhost-vsock-allocate-nonlinear-skbs-for-handling-large-receive-buffers.patch create mode 100644 queue-6.12/vsock-virtio-allocate-nonlinear-skbs-for-handling-large-transmit-buffers.patch create mode 100644 queue-6.12/vsock-virtio-fix-message-iterator-handling-on-transmit-path.patch create mode 100644 queue-6.12/vsock-virtio-move-length-check-to-callers-of-virtio_vsock_skb_rx_put.patch create mode 100644 queue-6.12/vsock-virtio-move-skb-allocation-lower-bound-check-to-callers.patch create mode 100644 queue-6.12/vsock-virtio-rename-virtio_vsock_alloc_skb.patch create mode 100644 queue-6.12/vsock-virtio-rename-virtio_vsock_skb_rx_put.patch diff --git a/queue-6.12/net-introduce-skb_copy_datagram_from_iter_full.patch b/queue-6.12/net-introduce-skb_copy_datagram_from_iter_full.patch new file mode 100644 index 0000000000..af9dbd760a --- /dev/null +++ b/queue-6.12/net-introduce-skb_copy_datagram_from_iter_full.patch @@ -0,0 +1,67 @@ +From stable+bounces-211683-greg=kroah.com@vger.kernel.org Mon Jan 26 21:18:45 2026 +From: Heitor Alves de Siqueira +Date: Mon, 26 Jan 2026 17:16:58 -0300 +Subject: net: Introduce skb_copy_datagram_from_iter_full() +To: stable@vger.kernel.org, "Stefan Hajnoczi" , "Stefano Garzarella" , "Michael S. Tsirkin" , "Jason Wang" , "Eugenio Pérez" , "Xuan Zhuo" , "David S. Miller" , "Eric Dumazet" , "Jakub Kicinski" , "Paolo Abeni" , "Simon Horman" , "Will Deacon" +Cc: kernel-dev@igalia.com, Heitor Alves de Siqueira , Christian Brauner , Alexander Viro +Message-ID: <20260126-backport-vsock-nonlinear-skb-6-12-v1-7-ad5c34853a60@igalia.com> + +From: Will Deacon + +[Upstream commit b08a784a5d1495c42ff9b0c70887d49211cddfe0] + +In a similar manner to copy_from_iter()/copy_from_iter_full(), introduce +skb_copy_datagram_from_iter_full() which reverts the iterator to its +initial state when returning an error. + +A subsequent fix for a vsock regression will make use of this new +function. + +Cc: Christian Brauner +Cc: Alexander Viro +Signed-off-by: Will Deacon +Acked-by: Michael S. Tsirkin +Reviewed-by: Stefan Hajnoczi +Link: https://patch.msgid.link/20250818180355.29275-2-will@kernel.org +Signed-off-by: Jakub Kicinski +Signed-off-by: Heitor Alves de Siqueira +Signed-off-by: Greg Kroah-Hartman +--- + include/linux/skbuff.h | 2 ++ + net/core/datagram.c | 14 ++++++++++++++ + 2 files changed, 16 insertions(+) + +--- a/include/linux/skbuff.h ++++ b/include/linux/skbuff.h +@@ -4117,6 +4117,8 @@ int skb_copy_and_hash_datagram_iter(cons + struct ahash_request *hash); + int skb_copy_datagram_from_iter(struct sk_buff *skb, int offset, + struct iov_iter *from, int len); ++int skb_copy_datagram_from_iter_full(struct sk_buff *skb, int offset, ++ struct iov_iter *from, int len); + int zerocopy_sg_from_iter(struct sk_buff *skb, struct iov_iter *frm); + void skb_free_datagram(struct sock *sk, struct sk_buff *skb); + int skb_kill_datagram(struct sock *sk, struct sk_buff *skb, unsigned int flags); +--- a/net/core/datagram.c ++++ b/net/core/datagram.c +@@ -621,6 +621,20 @@ fault: + } + EXPORT_SYMBOL(skb_copy_datagram_from_iter); + ++int skb_copy_datagram_from_iter_full(struct sk_buff *skb, int offset, ++ struct iov_iter *from, int len) ++{ ++ struct iov_iter_state state; ++ int ret; ++ ++ iov_iter_save_state(from, &state); ++ ret = skb_copy_datagram_from_iter(skb, offset, from, len); ++ if (ret) ++ iov_iter_restore(from, &state); ++ return ret; ++} ++EXPORT_SYMBOL(skb_copy_datagram_from_iter_full); ++ + int zerocopy_fill_skb_from_iter(struct sk_buff *skb, + struct iov_iter *from, size_t length) + { diff --git a/queue-6.12/series b/queue-6.12/series index 7042fb94a1..bc8b60bc1c 100644 --- a/queue-6.12/series +++ b/queue-6.12/series @@ -159,3 +159,11 @@ fs-ntfs3-initialize-allocated-memory-before-use.patch accel-ivpu-fix-race-condition-when-unbinding-bos.patch btrfs-fix-racy-bitfield-write-in-btrfs_clear_space_info_full.patch wifi-ath11k-fix-rcu-stall-while-reaping-monitor-destination-ring.patch +vsock-virtio-move-length-check-to-callers-of-virtio_vsock_skb_rx_put.patch +vsock-virtio-rename-virtio_vsock_alloc_skb.patch +vsock-virtio-move-skb-allocation-lower-bound-check-to-callers.patch +vsock-virtio-rename-virtio_vsock_skb_rx_put.patch +vhost-vsock-allocate-nonlinear-skbs-for-handling-large-receive-buffers.patch +vsock-virtio-allocate-nonlinear-skbs-for-handling-large-transmit-buffers.patch +net-introduce-skb_copy_datagram_from_iter_full.patch +vsock-virtio-fix-message-iterator-handling-on-transmit-path.patch diff --git a/queue-6.12/vhost-vsock-allocate-nonlinear-skbs-for-handling-large-receive-buffers.patch b/queue-6.12/vhost-vsock-allocate-nonlinear-skbs-for-handling-large-receive-buffers.patch new file mode 100644 index 0000000000..1fdbb94ce7 --- /dev/null +++ b/queue-6.12/vhost-vsock-allocate-nonlinear-skbs-for-handling-large-receive-buffers.patch @@ -0,0 +1,116 @@ +From stable+bounces-211682-greg=kroah.com@vger.kernel.org Mon Jan 26 21:18:48 2026 +From: Heitor Alves de Siqueira +Date: Mon, 26 Jan 2026 17:16:56 -0300 +Subject: vhost/vsock: Allocate nonlinear SKBs for handling large receive buffers +To: stable@vger.kernel.org, "Stefan Hajnoczi" , "Stefano Garzarella" , "Michael S. Tsirkin" , "Jason Wang" , "Eugenio Pérez" , "Xuan Zhuo" , "David S. Miller" , "Eric Dumazet" , "Jakub Kicinski" , "Paolo Abeni" , "Simon Horman" , "Will Deacon" +Cc: kernel-dev@igalia.com, Heitor Alves de Siqueira +Message-ID: <20260126-backport-vsock-nonlinear-skb-6-12-v1-5-ad5c34853a60@igalia.com> + +From: Will Deacon + +[Upstream commit ab9aa2f3afc2713c14f6c4c6b90c9a0933b837f1] + +When receiving a packet from a guest, vhost_vsock_handle_tx_kick() +calls vhost_vsock_alloc_linear_skb() to allocate and fill an SKB with +the receive data. Unfortunately, these are always linear allocations and +can therefore result in significant pressure on kmalloc() considering +that the maximum packet size (VIRTIO_VSOCK_MAX_PKT_BUF_SIZE + +VIRTIO_VSOCK_SKB_HEADROOM) is a little over 64KiB, resulting in a 128KiB +allocation for each packet. + +Rework the vsock SKB allocation so that, for sizes with page order +greater than PAGE_ALLOC_COSTLY_ORDER, a nonlinear SKB is allocated +instead with the packet header in the SKB and the receive data in the +fragments. Finally, add a debug warning if virtio_vsock_skb_rx_put() is +ever called on an SKB with a non-zero length, as this would be +destructive for the nonlinear case. + +Reviewed-by: Stefano Garzarella +Signed-off-by: Will Deacon +Message-Id: <20250717090116.11987-8-will@kernel.org> +Signed-off-by: Michael S. Tsirkin +Signed-off-by: Heitor Alves de Siqueira +Signed-off-by: Greg Kroah-Hartman +--- + drivers/vhost/vsock.c | 8 +++----- + include/linux/virtio_vsock.h | 32 +++++++++++++++++++++++++++++--- + 2 files changed, 32 insertions(+), 8 deletions(-) + +--- a/drivers/vhost/vsock.c ++++ b/drivers/vhost/vsock.c +@@ -350,7 +350,7 @@ vhost_vsock_alloc_skb(struct vhost_virtq + return NULL; + + /* len contains both payload and hdr */ +- skb = virtio_vsock_alloc_linear_skb(len, GFP_KERNEL); ++ skb = virtio_vsock_alloc_skb(len, GFP_KERNEL); + if (!skb) + return NULL; + +@@ -379,10 +379,8 @@ vhost_vsock_alloc_skb(struct vhost_virtq + + virtio_vsock_skb_put(skb, payload_len); + +- nbytes = copy_from_iter(skb->data, payload_len, &iov_iter); +- if (nbytes != payload_len) { +- vq_err(vq, "Expected %zu byte payload, got %zu bytes\n", +- payload_len, nbytes); ++ if (skb_copy_datagram_from_iter(skb, 0, &iov_iter, payload_len)) { ++ vq_err(vq, "Failed to copy %zu byte payload\n", payload_len); + kfree_skb(skb); + return NULL; + } +--- a/include/linux/virtio_vsock.h ++++ b/include/linux/virtio_vsock.h +@@ -49,22 +49,48 @@ static inline void virtio_vsock_skb_clea + + static inline void virtio_vsock_skb_put(struct sk_buff *skb, u32 len) + { +- skb_put(skb, len); ++ DEBUG_NET_WARN_ON_ONCE(skb->len); ++ ++ if (skb_is_nonlinear(skb)) ++ skb->len = len; ++ else ++ skb_put(skb, len); + } + + static inline struct sk_buff * +-virtio_vsock_alloc_linear_skb(unsigned int size, gfp_t mask) ++__virtio_vsock_alloc_skb_with_frags(unsigned int header_len, ++ unsigned int data_len, ++ gfp_t mask) + { + struct sk_buff *skb; ++ int err; + +- skb = alloc_skb(size, mask); ++ skb = alloc_skb_with_frags(header_len, data_len, ++ PAGE_ALLOC_COSTLY_ORDER, &err, mask); + if (!skb) + return NULL; + + skb_reserve(skb, VIRTIO_VSOCK_SKB_HEADROOM); ++ skb->data_len = data_len; + return skb; + } + ++static inline struct sk_buff * ++virtio_vsock_alloc_linear_skb(unsigned int size, gfp_t mask) ++{ ++ return __virtio_vsock_alloc_skb_with_frags(size, 0, mask); ++} ++ ++static inline struct sk_buff *virtio_vsock_alloc_skb(unsigned int size, gfp_t mask) ++{ ++ if (size <= SKB_WITH_OVERHEAD(PAGE_SIZE << PAGE_ALLOC_COSTLY_ORDER)) ++ return virtio_vsock_alloc_linear_skb(size, mask); ++ ++ size -= VIRTIO_VSOCK_SKB_HEADROOM; ++ return __virtio_vsock_alloc_skb_with_frags(VIRTIO_VSOCK_SKB_HEADROOM, ++ size, mask); ++} ++ + static inline void + virtio_vsock_skb_queue_head(struct sk_buff_head *list, struct sk_buff *skb) + { diff --git a/queue-6.12/vsock-virtio-allocate-nonlinear-skbs-for-handling-large-transmit-buffers.patch b/queue-6.12/vsock-virtio-allocate-nonlinear-skbs-for-handling-large-transmit-buffers.patch new file mode 100644 index 0000000000..9fa63719d6 --- /dev/null +++ b/queue-6.12/vsock-virtio-allocate-nonlinear-skbs-for-handling-large-transmit-buffers.patch @@ -0,0 +1,56 @@ +From stable+bounces-211684-greg=kroah.com@vger.kernel.org Mon Jan 26 21:19:13 2026 +From: Heitor Alves de Siqueira +Date: Mon, 26 Jan 2026 17:16:57 -0300 +Subject: vsock/virtio: Allocate nonlinear SKBs for handling large transmit buffers +To: stable@vger.kernel.org, "Stefan Hajnoczi" , "Stefano Garzarella" , "Michael S. Tsirkin" , "Jason Wang" , "Eugenio Pérez" , "Xuan Zhuo" , "David S. Miller" , "Eric Dumazet" , "Jakub Kicinski" , "Paolo Abeni" , "Simon Horman" , "Will Deacon" +Cc: kernel-dev@igalia.com, Heitor Alves de Siqueira +Message-ID: <20260126-backport-vsock-nonlinear-skb-6-12-v1-6-ad5c34853a60@igalia.com> + +From: Will Deacon + +[Upstream commit 6693731487a8145a9b039bc983d77edc47693855] + +When transmitting a vsock packet, virtio_transport_send_pkt_info() calls +virtio_transport_alloc_linear_skb() to allocate and fill SKBs with the +transmit data. Unfortunately, these are always linear allocations and +can therefore result in significant pressure on kmalloc() considering +that the maximum packet size (VIRTIO_VSOCK_MAX_PKT_BUF_SIZE + +VIRTIO_VSOCK_SKB_HEADROOM) is a little over 64KiB, resulting in a 128KiB +allocation for each packet. + +Rework the vsock SKB allocation so that, for sizes with page order +greater than PAGE_ALLOC_COSTLY_ORDER, a nonlinear SKB is allocated +instead with the packet header in the SKB and the transmit data in the +fragments. Note that this affects both the vhost and virtio transports. + +Reviewed-by: Stefano Garzarella +Signed-off-by: Will Deacon +Message-Id: <20250717090116.11987-10-will@kernel.org> +Signed-off-by: Michael S. Tsirkin +Signed-off-by: Heitor Alves de Siqueira +Signed-off-by: Greg Kroah-Hartman +--- + net/vmw_vsock/virtio_transport_common.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +--- a/net/vmw_vsock/virtio_transport_common.c ++++ b/net/vmw_vsock/virtio_transport_common.c +@@ -111,7 +111,8 @@ static int virtio_transport_fill_skb(str + &info->msg->msg_iter, + len); + +- return memcpy_from_msg(skb_put(skb, len), info->msg, len); ++ virtio_vsock_skb_put(skb, len); ++ return skb_copy_datagram_from_iter(skb, 0, &info->msg->msg_iter, len); + } + + static void virtio_transport_init_hdr(struct sk_buff *skb, +@@ -263,7 +264,7 @@ static struct sk_buff *virtio_transport_ + if (!zcopy) + skb_len += payload_len; + +- skb = virtio_vsock_alloc_linear_skb(skb_len, GFP_KERNEL); ++ skb = virtio_vsock_alloc_skb(skb_len, GFP_KERNEL); + if (!skb) + return NULL; + diff --git a/queue-6.12/vsock-virtio-fix-message-iterator-handling-on-transmit-path.patch b/queue-6.12/vsock-virtio-fix-message-iterator-handling-on-transmit-path.patch new file mode 100644 index 0000000000..34fb443290 --- /dev/null +++ b/queue-6.12/vsock-virtio-fix-message-iterator-handling-on-transmit-path.patch @@ -0,0 +1,77 @@ +From stable+bounces-211685-greg=kroah.com@vger.kernel.org Mon Jan 26 21:18:55 2026 +From: Heitor Alves de Siqueira +Date: Mon, 26 Jan 2026 17:16:59 -0300 +Subject: vsock/virtio: Fix message iterator handling on transmit path +To: stable@vger.kernel.org, "Stefan Hajnoczi" , "Stefano Garzarella" , "Michael S. Tsirkin" , "Jason Wang" , "Eugenio Pérez" , "Xuan Zhuo" , "David S. Miller" , "Eric Dumazet" , "Jakub Kicinski" , "Paolo Abeni" , "Simon Horman" , "Will Deacon" +Cc: kernel-dev@igalia.com, Heitor Alves de Siqueira , syzbot+b4d960daf7a3c7c2b7b1@syzkaller.appspotmail.com +Message-ID: <20260126-backport-vsock-nonlinear-skb-6-12-v1-8-ad5c34853a60@igalia.com> + +From: Will Deacon + +[Upstream commit 7fb1291257ea1e27dbc3f34c6a37b4d640aafdd7] + +Commit 6693731487a8 ("vsock/virtio: Allocate nonlinear SKBs for handling +large transmit buffers") converted the virtio vsock transmit path to +utilise nonlinear SKBs when handling large buffers. As part of this +change, virtio_transport_fill_skb() was updated to call +skb_copy_datagram_from_iter() instead of memcpy_from_msg() as the latter +expects a single destination buffer and cannot handle nonlinear SKBs +correctly. + +Unfortunately, during this conversion, I overlooked the error case when +the copying function returns -EFAULT due to a fault on the input buffer +in userspace. In this case, memcpy_from_msg() reverts the iterator to +its initial state thanks to copy_from_iter_full() whereas +skb_copy_datagram_from_iter() leaves the iterator partially advanced. +This results in a WARN_ONCE() from the vsock code, which expects the +iterator to stay in sync with the number of bytes transmitted so that +virtio_transport_send_pkt_info() can return -EFAULT when it is called +again: + + ------------[ cut here ]------------ + 'send_pkt()' returns 0, but 65536 expected + WARNING: CPU: 0 PID: 5503 at net/vmw_vsock/virtio_transport_common.c:428 virtio_transport_send_pkt_info+0xd11/0xf00 net/vmw_vsock/virtio_transport_common.c:426 + Modules linked in: + CPU: 0 UID: 0 PID: 5503 Comm: syz.0.17 Not tainted 6.16.0-syzkaller-12063-g37816488247d #0 PREEMPT(full) + Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 + +Call virtio_transport_fill_skb_full() to restore the previous iterator +behaviour. + +Cc: Jason Wang +Cc: Stefano Garzarella +Fixes: 6693731487a8 ("vsock/virtio: Allocate nonlinear SKBs for handling large transmit buffers") +Reported-by: syzbot+b4d960daf7a3c7c2b7b1@syzkaller.appspotmail.com +Signed-off-by: Will Deacon +Acked-by: Michael S. Tsirkin +Reviewed-by: Stefan Hajnoczi +Link: https://patch.msgid.link/20250818180355.29275-3-will@kernel.org +Signed-off-by: Jakub Kicinski +[halves: adjust __zerocopy_sg_from_iter() parameters] +Signed-off-by: Heitor Alves de Siqueira +Signed-off-by: Greg Kroah-Hartman +--- + net/vmw_vsock/virtio_transport_common.c | 8 +++++--- + 1 file changed, 5 insertions(+), 3 deletions(-) + +--- a/net/vmw_vsock/virtio_transport_common.c ++++ b/net/vmw_vsock/virtio_transport_common.c +@@ -106,13 +106,15 @@ static int virtio_transport_fill_skb(str + size_t len, + bool zcopy) + { ++ struct msghdr *msg = info->msg; ++ + if (zcopy) +- return __zerocopy_sg_from_iter(info->msg, NULL, skb, +- &info->msg->msg_iter, ++ return __zerocopy_sg_from_iter(msg, NULL, skb, ++ &msg->msg_iter, + len); + + virtio_vsock_skb_put(skb, len); +- return skb_copy_datagram_from_iter(skb, 0, &info->msg->msg_iter, len); ++ return skb_copy_datagram_from_iter_full(skb, 0, &msg->msg_iter, len); + } + + static void virtio_transport_init_hdr(struct sk_buff *skb, diff --git a/queue-6.12/vsock-virtio-move-length-check-to-callers-of-virtio_vsock_skb_rx_put.patch b/queue-6.12/vsock-virtio-move-length-check-to-callers-of-virtio_vsock_skb_rx_put.patch new file mode 100644 index 0000000000..30122a690f --- /dev/null +++ b/queue-6.12/vsock-virtio-move-length-check-to-callers-of-virtio_vsock_skb_rx_put.patch @@ -0,0 +1,82 @@ +From stable+bounces-211680-greg=kroah.com@vger.kernel.org Mon Jan 26 21:18:33 2026 +From: Heitor Alves de Siqueira +Date: Mon, 26 Jan 2026 17:16:52 -0300 +Subject: vsock/virtio: Move length check to callers of virtio_vsock_skb_rx_put() +To: stable@vger.kernel.org, "Stefan Hajnoczi" , "Stefano Garzarella" , "Michael S. Tsirkin" , "Jason Wang" , "Eugenio Pérez" , "Xuan Zhuo" , "David S. Miller" , "Eric Dumazet" , "Jakub Kicinski" , "Paolo Abeni" , "Simon Horman" , "Will Deacon" +Cc: kernel-dev@igalia.com, Heitor Alves de Siqueira +Message-ID: <20260126-backport-vsock-nonlinear-skb-6-12-v1-1-ad5c34853a60@igalia.com> + +From: Will Deacon + +[Upstream commit 87dbae5e36613a6020f3d64a2eaeac0a1e0e6dc6] + +virtio_vsock_skb_rx_put() only calls skb_put() if the length in the +packet header is not zero even though skb_put() handles this case +gracefully. + +Remove the functionally redundant check from virtio_vsock_skb_rx_put() +and, on the assumption that this is a worthwhile optimisation for +handling credit messages, augment the existing length checks in +virtio_transport_rx_work() to elide the call for zero-length payloads. +Since the callers all have the length, extend virtio_vsock_skb_rx_put() +to take it as an additional parameter rather than fish it back out of +the packet header. + +Note that the vhost code already has similar logic in +vhost_vsock_alloc_skb(). + +Reviewed-by: Stefano Garzarella +Signed-off-by: Will Deacon +Message-Id: <20250717090116.11987-4-will@kernel.org> +Signed-off-by: Michael S. Tsirkin +Signed-off-by: Heitor Alves de Siqueira +Signed-off-by: Greg Kroah-Hartman +--- + drivers/vhost/vsock.c | 2 +- + include/linux/virtio_vsock.h | 9 ++------- + net/vmw_vsock/virtio_transport.c | 4 +++- + 3 files changed, 6 insertions(+), 9 deletions(-) + +--- a/drivers/vhost/vsock.c ++++ b/drivers/vhost/vsock.c +@@ -376,7 +376,7 @@ vhost_vsock_alloc_skb(struct vhost_virtq + return NULL; + } + +- virtio_vsock_skb_rx_put(skb); ++ virtio_vsock_skb_rx_put(skb, payload_len); + + nbytes = copy_from_iter(skb->data, payload_len, &iov_iter); + if (nbytes != payload_len) { +--- a/include/linux/virtio_vsock.h ++++ b/include/linux/virtio_vsock.h +@@ -47,14 +47,9 @@ static inline void virtio_vsock_skb_clea + VIRTIO_VSOCK_SKB_CB(skb)->tap_delivered = false; + } + +-static inline void virtio_vsock_skb_rx_put(struct sk_buff *skb) ++static inline void virtio_vsock_skb_rx_put(struct sk_buff *skb, u32 len) + { +- u32 len; +- +- len = le32_to_cpu(virtio_vsock_hdr(skb)->len); +- +- if (len > 0) +- skb_put(skb, len); ++ skb_put(skb, len); + } + + static inline struct sk_buff *virtio_vsock_alloc_skb(unsigned int size, gfp_t mask) +--- a/net/vmw_vsock/virtio_transport.c ++++ b/net/vmw_vsock/virtio_transport.c +@@ -656,7 +656,9 @@ static void virtio_transport_rx_work(str + continue; + } + +- virtio_vsock_skb_rx_put(skb); ++ if (payload_len) ++ virtio_vsock_skb_rx_put(skb, payload_len); ++ + virtio_transport_deliver_tap_pkt(skb); + virtio_transport_recv_pkt(&virtio_transport, skb); + } diff --git a/queue-6.12/vsock-virtio-move-skb-allocation-lower-bound-check-to-callers.patch b/queue-6.12/vsock-virtio-move-skb-allocation-lower-bound-check-to-callers.patch new file mode 100644 index 0000000000..0aabc12a95 --- /dev/null +++ b/queue-6.12/vsock-virtio-move-skb-allocation-lower-bound-check-to-callers.patch @@ -0,0 +1,56 @@ +From stable+bounces-211678-greg=kroah.com@vger.kernel.org Mon Jan 26 21:18:32 2026 +From: Heitor Alves de Siqueira +Date: Mon, 26 Jan 2026 17:16:54 -0300 +Subject: vsock/virtio: Move SKB allocation lower-bound check to callers +To: stable@vger.kernel.org, "Stefan Hajnoczi" , "Stefano Garzarella" , "Michael S. Tsirkin" , "Jason Wang" , "Eugenio Pérez" , "Xuan Zhuo" , "David S. Miller" , "Eric Dumazet" , "Jakub Kicinski" , "Paolo Abeni" , "Simon Horman" , "Will Deacon" +Cc: kernel-dev@igalia.com, Heitor Alves de Siqueira +Message-ID: <20260126-backport-vsock-nonlinear-skb-6-12-v1-3-ad5c34853a60@igalia.com> + +From: Will Deacon + +[Upstream commit fac6b82e0f3eaca33c8c67ec401681b21143ae17] + +virtio_vsock_alloc_linear_skb() checks that the requested size is at +least big enough for the packet header (VIRTIO_VSOCK_SKB_HEADROOM). + +Of the three callers of virtio_vsock_alloc_linear_skb(), only +vhost_vsock_alloc_skb() can potentially pass a packet smaller than the +header size and, as it already has a check against the maximum packet +size, extend its bounds checking to consider the minimum packet size +and remove the check from virtio_vsock_alloc_linear_skb(). + +Reviewed-by: Stefano Garzarella +Signed-off-by: Will Deacon +Message-Id: <20250717090116.11987-7-will@kernel.org> +Signed-off-by: Michael S. Tsirkin +Signed-off-by: Heitor Alves de Siqueira +Signed-off-by: Greg Kroah-Hartman +--- + drivers/vhost/vsock.c | 3 ++- + include/linux/virtio_vsock.h | 3 --- + 2 files changed, 2 insertions(+), 4 deletions(-) + +--- a/drivers/vhost/vsock.c ++++ b/drivers/vhost/vsock.c +@@ -345,7 +345,8 @@ vhost_vsock_alloc_skb(struct vhost_virtq + + len = iov_length(vq->iov, out); + +- if (len > VIRTIO_VSOCK_MAX_PKT_BUF_SIZE + VIRTIO_VSOCK_SKB_HEADROOM) ++ if (len < VIRTIO_VSOCK_SKB_HEADROOM || ++ len > VIRTIO_VSOCK_MAX_PKT_BUF_SIZE + VIRTIO_VSOCK_SKB_HEADROOM) + return NULL; + + /* len contains both payload and hdr */ +--- a/include/linux/virtio_vsock.h ++++ b/include/linux/virtio_vsock.h +@@ -57,9 +57,6 @@ virtio_vsock_alloc_linear_skb(unsigned i + { + struct sk_buff *skb; + +- if (size < VIRTIO_VSOCK_SKB_HEADROOM) +- return NULL; +- + skb = alloc_skb(size, mask); + if (!skb) + return NULL; diff --git a/queue-6.12/vsock-virtio-rename-virtio_vsock_alloc_skb.patch b/queue-6.12/vsock-virtio-rename-virtio_vsock_alloc_skb.patch new file mode 100644 index 0000000000..d758580fbe --- /dev/null +++ b/queue-6.12/vsock-virtio-rename-virtio_vsock_alloc_skb.patch @@ -0,0 +1,77 @@ +From stable+bounces-211677-greg=kroah.com@vger.kernel.org Mon Jan 26 21:18:33 2026 +From: Heitor Alves de Siqueira +Date: Mon, 26 Jan 2026 17:16:53 -0300 +Subject: vsock/virtio: Rename virtio_vsock_alloc_skb() +To: stable@vger.kernel.org, "Stefan Hajnoczi" , "Stefano Garzarella" , "Michael S. Tsirkin" , "Jason Wang" , "Eugenio Pérez" , "Xuan Zhuo" , "David S. Miller" , "Eric Dumazet" , "Jakub Kicinski" , "Paolo Abeni" , "Simon Horman" , "Will Deacon" +Cc: kernel-dev@igalia.com, Heitor Alves de Siqueira +Message-ID: <20260126-backport-vsock-nonlinear-skb-6-12-v1-2-ad5c34853a60@igalia.com> + +From: Will Deacon + +[Upstream commit 2304c64a2866c58534560c63dc6e79d09b8f8d8d] + +In preparation for nonlinear allocations for large SKBs, rename +virtio_vsock_alloc_skb() to virtio_vsock_alloc_linear_skb() to indicate +that it returns linear SKBs unconditionally and switch all callers over +to this new interface for now. + +No functional change. + +Reviewed-by: Stefano Garzarella +Signed-off-by: Will Deacon +Message-Id: <20250717090116.11987-6-will@kernel.org> +Signed-off-by: Michael S. Tsirkin +Signed-off-by: Heitor Alves de Siqueira +Signed-off-by: Greg Kroah-Hartman +--- + drivers/vhost/vsock.c | 2 +- + include/linux/virtio_vsock.h | 3 ++- + net/vmw_vsock/virtio_transport.c | 2 +- + net/vmw_vsock/virtio_transport_common.c | 2 +- + 4 files changed, 5 insertions(+), 4 deletions(-) + +--- a/drivers/vhost/vsock.c ++++ b/drivers/vhost/vsock.c +@@ -349,7 +349,7 @@ vhost_vsock_alloc_skb(struct vhost_virtq + return NULL; + + /* len contains both payload and hdr */ +- skb = virtio_vsock_alloc_skb(len, GFP_KERNEL); ++ skb = virtio_vsock_alloc_linear_skb(len, GFP_KERNEL); + if (!skb) + return NULL; + +--- a/include/linux/virtio_vsock.h ++++ b/include/linux/virtio_vsock.h +@@ -52,7 +52,8 @@ static inline void virtio_vsock_skb_rx_p + skb_put(skb, len); + } + +-static inline struct sk_buff *virtio_vsock_alloc_skb(unsigned int size, gfp_t mask) ++static inline struct sk_buff * ++virtio_vsock_alloc_linear_skb(unsigned int size, gfp_t mask) + { + struct sk_buff *skb; + +--- a/net/vmw_vsock/virtio_transport.c ++++ b/net/vmw_vsock/virtio_transport.c +@@ -316,7 +316,7 @@ static void virtio_vsock_rx_fill(struct + vq = vsock->vqs[VSOCK_VQ_RX]; + + do { +- skb = virtio_vsock_alloc_skb(total_len, GFP_KERNEL); ++ skb = virtio_vsock_alloc_linear_skb(total_len, GFP_KERNEL); + if (!skb) + break; + +--- a/net/vmw_vsock/virtio_transport_common.c ++++ b/net/vmw_vsock/virtio_transport_common.c +@@ -263,7 +263,7 @@ static struct sk_buff *virtio_transport_ + if (!zcopy) + skb_len += payload_len; + +- skb = virtio_vsock_alloc_skb(skb_len, GFP_KERNEL); ++ skb = virtio_vsock_alloc_linear_skb(skb_len, GFP_KERNEL); + if (!skb) + return NULL; + diff --git a/queue-6.12/vsock-virtio-rename-virtio_vsock_skb_rx_put.patch b/queue-6.12/vsock-virtio-rename-virtio_vsock_skb_rx_put.patch new file mode 100644 index 0000000000..4d0c64e96c --- /dev/null +++ b/queue-6.12/vsock-virtio-rename-virtio_vsock_skb_rx_put.patch @@ -0,0 +1,63 @@ +From stable+bounces-211681-greg=kroah.com@vger.kernel.org Mon Jan 26 21:19:03 2026 +From: Heitor Alves de Siqueira +Date: Mon, 26 Jan 2026 17:16:55 -0300 +Subject: vsock/virtio: Rename virtio_vsock_skb_rx_put() +To: stable@vger.kernel.org, "Stefan Hajnoczi" , "Stefano Garzarella" , "Michael S. Tsirkin" , "Jason Wang" , "Eugenio Pérez" , "Xuan Zhuo" , "David S. Miller" , "Eric Dumazet" , "Jakub Kicinski" , "Paolo Abeni" , "Simon Horman" , "Will Deacon" +Cc: kernel-dev@igalia.com, Heitor Alves de Siqueira +Message-ID: <20260126-backport-vsock-nonlinear-skb-6-12-v1-4-ad5c34853a60@igalia.com> + +From: Will Deacon + +[Upstream commit 8ca76151d2c8219edea82f1925a2a25907ff6a9d] + +In preparation for using virtio_vsock_skb_rx_put() when populating SKBs +on the vsock TX path, rename virtio_vsock_skb_rx_put() to +virtio_vsock_skb_put(). + +No functional change. + +Reviewed-by: Stefano Garzarella +Signed-off-by: Will Deacon +Message-Id: <20250717090116.11987-9-will@kernel.org> +Signed-off-by: Michael S. Tsirkin +Signed-off-by: Heitor Alves de Siqueira +Signed-off-by: Greg Kroah-Hartman +--- + drivers/vhost/vsock.c | 2 +- + include/linux/virtio_vsock.h | 2 +- + net/vmw_vsock/virtio_transport.c | 2 +- + 3 files changed, 3 insertions(+), 3 deletions(-) + +--- a/drivers/vhost/vsock.c ++++ b/drivers/vhost/vsock.c +@@ -377,7 +377,7 @@ vhost_vsock_alloc_skb(struct vhost_virtq + return NULL; + } + +- virtio_vsock_skb_rx_put(skb, payload_len); ++ virtio_vsock_skb_put(skb, payload_len); + + nbytes = copy_from_iter(skb->data, payload_len, &iov_iter); + if (nbytes != payload_len) { +--- a/include/linux/virtio_vsock.h ++++ b/include/linux/virtio_vsock.h +@@ -47,7 +47,7 @@ static inline void virtio_vsock_skb_clea + VIRTIO_VSOCK_SKB_CB(skb)->tap_delivered = false; + } + +-static inline void virtio_vsock_skb_rx_put(struct sk_buff *skb, u32 len) ++static inline void virtio_vsock_skb_put(struct sk_buff *skb, u32 len) + { + skb_put(skb, len); + } +--- a/net/vmw_vsock/virtio_transport.c ++++ b/net/vmw_vsock/virtio_transport.c +@@ -657,7 +657,7 @@ static void virtio_transport_rx_work(str + } + + if (payload_len) +- virtio_vsock_skb_rx_put(skb, payload_len); ++ virtio_vsock_skb_put(skb, payload_len); + + virtio_transport_deliver_tap_pkt(skb); + virtio_transport_recv_pkt(&virtio_transport, skb); -- 2.47.3